Mobile Device Encryption

I. Title

A. Name: Mobile Device Encryption Policy

B. Number: 2017-02-15-mobiledeviceencryption

C. Author: M. Muth (ISC Information Security)

D. Status:

[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2017-02-15

F. Date revised: N/A

G. Date approved: 2017-08-18

H. Effective date: 2017-12-13 (new mobile devices), 2018-09-13 (existing mobile devices)

II. Authority and Responsibility

Information Systems and Computing's Office of Information Security has the authority and responsibility to establish information security policies, guidelines, and standards.

III. Executive Summary

This policy describes the requirements for encrypting Penn-owned mobile devices. It includes generic requirements, as well as their current technical interpretation.

IV. Purpose

The purpose of the policy is to protect the confidentiality, integrity, and availability of University data stored on Penn-owned mobile devices.

V. Risk of Non-compliance

If a Penn-owned mobile device containing confidential University data is lost or stolen, Penn schools and centers are exposed to risk of regulatory fines, lawsuits, reputational damage, and the loss of trust by critical members of our community. For individuals, a loss of privacy may result, together with possible identity theft, embarrassment, harassment, and other problems.

VI. Definitions

Confidential University Data includes
Sensitive Personally Identifiable Information
Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to confidential University data.
Proprietary Information
Data, information, or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include, but are not limited to, business planning, financial information, trade secrets, copyrighted material, and software, or comparable material from a third party when the University has agreed to keep such material confidential.
Other data
Other data whose disclosure would cause significant harm to Penn or its constituents.
Key escrow
An arrangement whereby an authorized party stores the keys needed to decrypt data, so the data can be decrypted even if the original key is lost.
Mobile Device
A mobile device running a workstation-class operating system, not an operating system limited to being run on mobile devices.
Temporary Use Mobile Device
A Mobile Device that is managed in such a way that it (1) contains user data for less than one day; (2) is wiped of user data between login sessions; and (3) does not leave the building during a login session.

VII. Scope

This policy applies to all Penn-owned mobile devices running a workstation-class operating system supported by Penn, and capable of doing native full-disk encryption, except for Temporary Use Mobile Devices.

VIII. Statement of policy

  1. Penn-owned mobile devices running an operating system supported by Penn, and capable of doing native full-disk encryption, must be encrypted.
  2. If the mobile device has multiple disk partitions, all must be encrypted. However, this requirement does not apply to partitions that the operating system does not support encrypting and that are not capable of or designed to store user data (e.g. system-required partitions such as boot partitions or recovery partitions).
  3. A key that can be used to decrypt the mobile device must be stored in a centralized management system or enterprise password vault.
  4. There must be a way, in the event of loss or theft of the device, to provide a log or report verifying that the mobile device was encrypted at the time of the most recent login or endpoint management polling or reporting cycle.
  5. ISC Information Security shall publish technical interpretations of this requirement (see References, below).

IX. Recommendations and Best Practices

  1. Penn-owned systems running Linux should be encrypted using the distribution's built-in whole disk encryption mechanism, or with a third-party solution (e.g. Symantec's PGP for Whole Disk Encryption).
    1. The decryption key should be escrowed manually with the staff member's supervisor or an IT Support Provider, using Secure Share (see References, below), GPG, or other secure mechanism to transfer the key.
    2. The key should be stored in an encrypted form.
  2. Periodically verify that the encrypted status is being reported/logged at the expected interval.

X. Compliance

A. Verification: ISC reserves the right to review a school or center's records verifying mobile device encryption.
B. Notification: Notification shall be made to the Security Liaison for the area.
C. Remedy: Remedy will be the establishment of required encryption and record keeping. ISC will offer consulting assistance to the school or center IT personnel where possible to bring the encryption program into compliance as quickly as possible.
D. Financial Implications: Costs associated with the implementation of mobile device encryption are the responsibility of the department, school, or center which provided funds to purchase the mobile device.
E. Responsibility: Responsibility for remedy lies with the department, school, or center which provided funds to purchase the mobile device.
F. Time Frame: This policy shall be effective three months after final approval for new mobile devices and 12 months after final approval for existing mobile devices. If a school or center security liaison believes that the school or center cannot comply with this timeframe, he or she may petition for an extension under Appeals, below.
G. Enforcement: The Office of Audit, Compliance and Privacy may include compliance in its periodic audits of schools and centers.
H. Appeals: Requests for a waiver from the requirements of this policy are decided by the University Information Security Officer. A waiver granted for the inability to meet one compliance requirement does not exempt the system owner from meeting all other requirements. All waiver requests may be submitted to ISC Information Security. Cases of ambiguity in the policy will be handled by the Network Policy Committee (NPC).

XI. References